HIGHCVE-2026-23169Published Modified CNA Linux
CVE-2026-23169: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup() Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready. list_splice_init_rcu() can not be called here while holding pernet->lock spinlock. Many thanks to Eulgyu Kim for providing a repro and testing our patches.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
01f1b9523527df02685dde603f20ff6e603d8e4a1338d40bab283da2639780ee3e458fb61f1567d8c455e882192c9833f176f3fbbbb2f036b6c5bf5555.15.20151223bdd0f60b06cfc7f25885c4d4be917adba946.1.1646.6.1256.12.726.18.96.197896dbe990d56d5bb8097863b2645355633665ebe2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d
Affected packages
- Linux / Linux< 338d40bab283da2639780ee3e458fb61f1567d8c (from 141694df6573b49aa4143c92556544b4b0bbda72) · < 7896dbe990d56d5bb8097863b2645355633665eb (from 141694df6573b49aa4143c92556544b4b0bbda72) · < 455e882192c9833f176f3fbbbb2f036b6c5bf555 (from 141694df6573b49aa4143c92556544b4b0bbda72) · < 51223bdd0f60b06cfc7f25885c4d4be917adba94 (from 141694df6573b49aa4143c92556544b4b0bbda72) · < 1f1b9523527df02685dde603f20ff6e603d8e4a1 (from 141694df6573b49aa4143c92556544b4b0bbda72) · < e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d (from 141694df6573b49aa4143c92556544b4b0bbda72)
- Linux / Linux5.11Fixed in 0, 5.15.201, 6.1.164, 6.6.125, 6.12.72, 6.18.9, 6.19
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H